Federal Regulators Crack Down on Financial Institutions Allowing “Off-Channel” Communication
Since late 2021, U.S. federal regulators have fined financial institutions over $1 billion for allowing employees to conduct business using “off-channel” communication, which is defined as digital and electronic communication conducted using channels outside the company’s approved and controlled systems.
Initially, the regulatory push was primarily directed at the largest Wall Street banking organizations, such as JP Morgan Chase and Citigroup, but recently large regional banking organizations, such as KeyCorp and Fifth Third, have announced they are facing similar investigations.
The publicly announced fines and investigations – initiated by the U.S. Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) – have been directed at the investment arms of the target companies; however, the legal concerns and risk issues driving the regulatory initiative appear relevant to all banks and to traditional banking functions.
Off-Channel Communication
Generally, financial institutions require employees to use approved digital/electronic communication systems, such as the company email system, for business-related communication. These systems are built with cybersecurity protection controls and are set to meet required record retention standards.
However, for the sake of convenience, employees may circumvent these controlled systems and resort to using off-channel communication when conducting business. Employees with bad motives may even opt to use off-channel methods to conceal business communication from supervisors, auditors or regulators.
Typically, off-channel communication can be conducted using personal cell phones for texting, personal email accounts or messaging services like WhatsApp to communicate about business matters with co-workers and customers.
Prevalence of Off-Channel Communication in the Banking Industry
In our current digital, post-pandemic communication age with remote work as a new normal, even the smallest community banks likely have significant risk that employees may be using off-channel communication for business purposes – such as texting customers about loan terms, documents or disclosures.
Risks with Off-Channel Communication
The use of off-channel communication involves a variety of risks for banking organizations, including:
- Legal and compliance risk:
- compromised ability to respond to information requests from regulators, creating risk of examination citations, enforcement actions and penalties for failure to produce records, failure to follow record-keeping requirements and failure to follow information security standards to protect confidential records;
- compromised ability to respond to discovery requests and subpoenas to turn over off-channel communication, creating risk of sanctions and other negative litigation fallout;
- inability to control adherence to document retention schedules, potentially leading to large amounts of discoverable documents accumulating in off-channel sources and significant cost and time to retrieve those documents per subpoena or court order; and
- increased risk of noncompliance with e-communication laws, such as the federal CAN-SPAM Act and the E-Sign Act, depending on the facts.
- Cybersecurity risk: lack of protections against attacks on data stored in off-channel communications; and lack of control of business data stored in off-channel communications for purposes of data retention and purging.
- Operational risk: inability to monitor, review, audit or control business communications using off-channel methods; and violations of bank policy creating inconsistencies in how business is conducted.
Basis of Recent Off-Channel Communication Fines
The recent SEC and CFTC actions alleged violations of regulatory record retention requirements that ensure investigator access to business records. The actions also alleged violation of internal company records retention and data security rules.
All banks are subject to similar types of rules mandating retention of certain types of records for designated periods of time, such as rules governing anti-money laundering and consumer lending.[i] In addition, many state bank regulatory authorities have broader-based record retention rules.[ii] Also, banks are required by state and federal law to provide bank examiners with access to bank business records and to implement information security programs and records retention programs.[iii]
Options to Address Off-Channel Communication Problems
Addressing the risks posed by off-channel communication is challenging, because abruptly stopping it may not be practical and could put the bank and its employees at a disadvantage in the market.
Banks may want to consider vendor products that can be used to route communication (such as business-related texts from personal cell phones) through a company-controlled application to capture and retain the communication.
Of course, any solution would need to involve a system to audit communication practices to identify off-channel communication and related regulatory and policy violations.
Bank Regulators and Off-Channel Communication
Although the federal bank regulators – Federal Reserve, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency and Consumer Financial Protection Bureau (CFPB) – have not publicly announced enforcement actions targeting off-channel communication recently, they have indicated in prior guidance that banks must implement communication systems that control business information to avoid security breaches and ensure examiner access to bank records.[iv]
Ironically, the CFPB recently addressed its own scandal involving an employee who was engaged in a form of off-channel communication by sending emails with records identifying over 200,000 financial institution customers to his personal email account. However, that incident is unlikely to deter the bank regulatory authorities from following the lead of the SEC and CFTC in attacking the use of off-channel communication for bank business.
Seasoned bankers are familiar with the pattern of exam focus issues starting with the larger banks, then trickling down to the mid-sized banks and, finally, to smaller community banks. Off-channel communication may be headed down that path.
[i] E.g., 31 CFR 1010.400-440; 12 CFR 1002.12; 12 CFR1026.25.
[ii] E.g., 20 CSR 1140-2.140 (Missouri rule).
[iii] 12 USC 481; 12 USC 1820(b) and (c); 12 USC 248(a); Sections 361.160 and 362.410 RSMo; 12 CFR Part 30 App. B; 12 CFR Part 364 App. B; 12 CFR Part 208 App. D-2.
[iv] Id.; see also OCC Comptroller’s Handbook: Bank Supervision Process, Appendix B; FDIC Basic Examination Concepts and Guidelines, Section 1.1; Federal Reserve Commercial Bank Examination Manual, Section 1000.1.